Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp441130pxa; Fri, 31 Jul 2020 16:54:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJylJM+A65EOV1c0X8j3T4t85MdoixixdCNAV2CLzw0sjLjm2JCYcnOXw6MaUhOCflRp7K/v X-Received: by 2002:a50:e0cb:: with SMTP id j11mr6217533edl.159.1596239696677; Fri, 31 Jul 2020 16:54:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596239696; cv=none; d=google.com; s=arc-20160816; b=rjJwKfrQfuFMEXT3N60AeYogOKvDX69r27o//ptmL2pHbtSqd/cpcNK/qPYYRyg6Iu Fv34qQcWzzwgefxgu0WmSd5bTqrg1eOSknwqQ2sXaBCA7wAfBu/3EnouLmTx5ZV/9Ytg N/LUq+hyajb1QAsw4UQTk+QNOKrAYJ97KxwvWPmOYei4letaHbrVkfbRr/pRGnQlGVn0 pC8S1CTgTivAze7xb1pifyiVFyGyahLANN5Z7vtPc+9RlCvMkJdAEmyN+Xk+E12SFJqf LmPjFiIGKlyJ414ln5tedupOKGjmSGyS3H9SkSnytSwS8iAU7tNjI3/tRzxc/+RWb6ZW OiRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=cWHHa8rOJxpvg0PRRBVEkHM6wNtVwBhmkW0DO8vWB/k=; b=DmDP8qIlx5vMIcUCocNhnsoBFPiUNReu85XgP7LxjHx/+D2anGR0nPWaicPMe2mYXz Ume0HBYyQbVL1ryopiCdFiuFKZo7ENubvPbORvM7L2x3uS5TrwKUDjYltb6zzPxSzvpM bIPdCzCm/iOrHF02hBNcGqMQIsGaZqx9XPgw6Fhah5yEDCGxnly7z+W40i+G2+TgTrUM 4kgjxtdOBVPHlBaZXDViw0noQpGrYuh8DsAERvRhYMl0J0lyoGeM4UG3CDi7Ew24dDQq ZgaC6auIeS+R5CkXaubRH+gvENQ6kBoxVG2nbjxwG5xbEaZ51B4APpwryjYGB3Rr5Aif +xUA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k18si6118479edj.429.2020.07.31.16.54.34; Fri, 31 Jul 2020 16:54:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727813AbgGaXyX (ORCPT + 99 others); Fri, 31 Jul 2020 19:54:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726099AbgGaXyX (ORCPT ); Fri, 31 Jul 2020 19:54:23 -0400 Received: from shards.monkeyblade.net (shards.monkeyblade.net [IPv6:2620:137:e000::1:9]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3875CC06174A; Fri, 31 Jul 2020 16:54:23 -0700 (PDT) Received: from localhost (unknown [IPv6:2601:601:9f00:477::3d5]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 20C1011E58FA6; Fri, 31 Jul 2020 16:37:37 -0700 (PDT) Date: Fri, 31 Jul 2020 16:54:21 -0700 (PDT) Message-Id: <20200731.165421.653261887142519995.davem@davemloft.net> To: yepeilin.cs@gmail.com Cc: santosh.shilimkar@oracle.com, kuba@kernel.org, dan.carpenter@oracle.com, arnd@arndb.de, gregkh@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org, netdev@vger.kernel.org, linux-rdma@vger.kernel.org, rds-devel@oss.oracle.com, linux-kernel@vger.kernel.org Subject: Re: [Linux-kernel-mentees] [PATCH net] rds: Prevent kernel-infoleak in rds_notify_queue_get() From: David Miller In-Reply-To: <20200730192026.110246-1-yepeilin.cs@gmail.com> References: <20200730192026.110246-1-yepeilin.cs@gmail.com> X-Mailer: Mew version 6.8 on Emacs 26.3 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Fri, 31 Jul 2020 16:37:37 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Peilin Ye Date: Thu, 30 Jul 2020 15:20:26 -0400 > rds_notify_queue_get() is potentially copying uninitialized kernel stack > memory to userspace since the compiler may leave a 4-byte hole at the end > of `cmsg`. > > In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg`, which > unfortunately does not always initialize that 4-byte hole. Fix it by using > memset() instead. > > Cc: stable@vger.kernel.org > Fixes: f037590fff30 ("rds: fix a leak of kernel memory") > Fixes: bdbe6fbc6a2f ("RDS: recv.c") > Suggested-by: Dan Carpenter > Signed-off-by: Peilin Ye Applied and queued up for -stable, thanks. I saw a suggestion to use __packed but that breaks UAPI and is definitely not an option to solve this problem.